diff options
author | kcwu <kcwu@chromium.org> | 2016-09-27 14:06:50 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-27 14:06:50 -0700 |
commit | ec7a9455c15b2cebb75a6036c8636beb601e543a (patch) | |
tree | 618beba7e39e567e645bbaa0b36ec008c50b5b41 | |
parent | 5060b2e37b82a2e2907e11685ed2998d06d8b452 (diff) | |
download | pdfium-ec7a9455c15b2cebb75a6036c8636beb601e543a.tar.xz |
Add fuzzer for jbig2 parsing
Review-Url: https://codereview.chromium.org/2370943004
-rw-r--r-- | testing/libfuzzer/BUILD.gn | 15 | ||||
-rw-r--r-- | testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc | 48 |
2 files changed, 63 insertions, 0 deletions
diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn index 7049add6c5..e89918b05f 100644 --- a/testing/libfuzzer/BUILD.gn +++ b/testing/libfuzzer/BUILD.gn @@ -199,6 +199,21 @@ source_set("pdf_codec_icc_fuzzer") { ] } +source_set("pdf_codec_jbig2_fuzzer") { + testonly = true + sources = [ + "pdf_codec_jbig2_fuzzer.cc", + ] + deps = [ + "//third_party/pdfium:pdfium", + ] + configs -= [ "//build/config/compiler:chromium_code" ] + configs += [ + "//build/config/compiler:no_chromium_code", + ":libfuzzer_config", + ] +} + source_set("pdf_jpx_fuzzer") { testonly = true sources = [ diff --git a/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc new file mode 100644 index 0000000000..4416c9e82c --- /dev/null +++ b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc @@ -0,0 +1,48 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <cstdint> + +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" +#include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h" +#include "core/fxcodec/codec/ccodec_jbig2module.h" +#include "core/fxcodec/include/JBig2_DocumentContext.h" +#include "core/fxcodec/jbig2/JBig2_Context.h" +#include "core/fxge/include/fx_dib.h" + +static uint32_t GetInteger(const uint8_t* data) { + return data[0] | data[1] << 8 | data[2] << 16 | data[3] << 24; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + const size_t kParameterSize = 8; + if (size < kParameterSize) + return 0; + + uint32_t width = GetInteger(data); + uint32_t height = GetInteger(data + 4); + size -= kParameterSize; + data += kParameterSize; + + std::unique_ptr<CFX_DIBitmap> bitmap(new CFX_DIBitmap); + if (!bitmap->Create(width, height, FXDIB_1bppRgb)) + return 0; + + std::unique_ptr<CPDF_Object, ReleaseDeleter<CPDF_Object>> stream( + new CPDF_Stream); + stream->AsStream()->SetData(data, size); + CPDF_StreamAcc src_stream; + src_stream.LoadAllData(stream->AsStream(), TRUE); + + CCodec_Jbig2Module module; + CCodec_Jbig2Context jbig2_context; + std::unique_ptr<JBig2_DocumentContext> document_context; + FXCODEC_STATUS status = module.StartDecode( + &jbig2_context, &document_context, width, height, &src_stream, nullptr, + bitmap->GetBuffer(), bitmap->GetPitch(), nullptr); + + while (status == FXCODEC_STATUS_DECODE_TOBECONTINUE) + status = module.ContinueDecode(&jbig2_context, nullptr); + return 0; +} |